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DETAILED ACTION 

1. Claims 1-15, 17-22 are pending in the Application. 

Claim Rejections - 35 USC § 101 
35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

2. Claims 1, 17-22 are rejected under 35 U.S.C. 101 because claims 1, 3, 17-22 are directed 
to a security system design. The language of the claims raises a question as to whether the claims 
are directed merely to an abstract idea that is not tied to a technological art, environment or 
machine which would result in a practical application producing a concrete, useful, and tangible 
result to form the basis of statutory subject matter under 35 U.S.C. 101. 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

3. Claim 1, 3-4, 7, 9-10, 12-13, 15, 17,19 and 20-21 rejected under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 

Claims 1, 3 recite "storing internationally registered protection profiles that have 

been generated and not internationally registered ", emphasis added, in lines 6-8 of claim 1, 

lines 5-7 of claim 3. 
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Claim 1 7 recite "a class tree of internationally registered PPs not internationally 

registered ", emphasis added, lines 5-6. 

Claim 1 9 recites "storing internationally registered PPs not internationally 

registered ", lines 6-8. 

Claim 21 recites "storing internationally registered protection profiles .... generated in 
the past and not internationally registered ", emphasis added, lines 6-8. 

It is not cleared and it is confusing as to whether the recited "protection profiles" and " 
class tree" are internationally registered or not internationally registered. 

Claim 20 recites the limitation "the PP?ST construction cases" in 6. There is insufficient 
antecedent basis for this limitation in the claim. 

Dependent claims 4, 7, 9-10, 12-13 are also rejected by virtue of their dependencies. 

Claim Rejections - 35 USC § 102 
4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public use or on 
sale in this country, more than one year prior to the date of application for patent in the United States. 

Claims 1-21 are rejected under 35 U.S.C. 102(b) as being anticipated by Richard 
Baskerville, ACM Computing Surveys, December 1993 . 

As per claims 1, 13, 17 and 21, Baskerville discloses a security system design 
supporting method for supporting designing of security requirements or security specifications 
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based on an international security evaluation criteria during planning/designing of an 
information-related product or an information system (see Introduction , page 375), said method 
comprising the steps of: 

providing a template case database for storing internationally registered 
protection profiles (PP) or PP/STs (security targets), that have been generated and not 
internationally registered, in a class-tree structure based on a relation between types of products 
or systems as a target of evaluation (TOE) of said PP/STs [ Pages 380-381, section 1.1 Checklist 
System Development methods, i.e. Baskerville discloses in the first generation of security system 
design , designers mark off the desired items from a checklist of possibilities. This reads on the 
recited 'providing a template case database "]; 

specifying the PP/STs related to the TOE by designating elements included in the 
products or systems, type and evaluation assurance level of the TOE and retrieving a relevant 
class-tree structure from said database [ page 380, section 1.1, page 381, section 1.2, Baskerville 
discloses in the first generation of security system design (i.e. internationally registered and that 
checklist is in the form of questions based on international security evaluation recited in claim 
13), checklist designs begin their design with examination of all known risks and controls and 
that a list is provided of every conceivable control that can be implemented] ; and 

automatically generating a PP/ST draft of the TOE by integrally editing contents of a 
definition of the specified PP/STs [ see Table 1, under Primary Features, Baskerville discloses 
that the First generation Checklist maps (i.e. generates) the limited solutions onto the information 
problem]. 
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As per claims 2 and 14, Baskerville discloses a security system design supporting 

method 

comprising the steps of: 

providing a partial case database for storing a security environment including 
assumptions, threats and organizational policies corresponding to the elements of the product or 
system accumulated by the PP/ST-applied, security objectives corresponding to the security 
environment, CC requirements corresponding to the security objectives, and information of a 
summary specification corresponding to the CC requirements [see page 383, under section Risk 
Analysis and security evaluation, Baskerville discloses that security checklists are techniques 
fore evaluating an information system's vulnerability and that checklist organization (see Table 
3) includes security environment, assumptions , threats , etc (i.e. internationally registered and 
that checklist is in the form of questions based on international security evaluation recited in 
claim 14.] ; 

automatically mapping from said database to corresponding information by designating 
the elements included in the product or system, the security environment, the security objectives 
and the security requirements of the TOE; and automatically generating a portion of contents of 
definition of the PP/ST associated with the TOE based on the corresponding information thus 
mapped. Page 379, Table 1, under Primary Features Baskerville discloses that the First 
generation Checklist maps (i.e. generates) the limited solutions onto the information problem] 

As per claims 3 and 15, Baskerville discloses a security system design supporting 

method comprising the steps of: 
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automatically generating a PP/ST draft by a first security system design supporting method 
,which comprises the steps of: 

providing a template case database for string internationally registered protection 
profiles (PP) or PP/STs (security targets), that have been generated in the past and not 
internationally registered, in a class-tree structure based on a relation between types of products 
or systems as a target of evaluation (TOE) of said PP/STs database [ Pages 380-381, section 1.1 
Checklist System Development methods, i.e. Baskerville discloses in the first generation of 
security system design , designers mark off the desired items from a checklist of possibilities. 

This reads on the recited 'providing a template case database 55 and that internationally 

registered and that checklist is in the form of questions based on international security 
evaluation recited in claim 15], 

specifying the PP/STs related to the TOE by designating elements included in 
the products or systems, type and evaluation assurance level of the TOE and 
retrieving a relevant tree from said database[ page 381, section 1.2, Baskerville discloses in the 
first generation of security system design, checklist designs begin their design with examination 
of all known risks and controls and that a list is provided of every conceivable control that can be 
implemented], and 

automatically generating a PP/ST draft of the TOE by integrally editing 
contents of a definition of said specified PP/STs; 

partially adding or correcting the PP/ST by a second security system 
design supporting method, which comprises the steps of: 

providing a partial case database for storing a security environment including 
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assumptions, threats and organizational polices corresponding to elements of the 
products or systems accumulated by the PP/ST-applied cases, security objectives 
corresponding to the security environment, CC requirements corresponding to the 
security objectives, and information of a summary specification corresponding to the 
CC requirements [ page 379, table 2, under the heading Objective, selecting components] 

automatically mapping from said database to corresponding information by 
designating the elements included in the products or systems, the security 
environment, the security objectives and the security requirements of the TOE, and 

automatically generating a portion of contents of a definition of the PP/ST 
associated with the TOE based on the corresponding information thus mapped [page 379, table 2, 
under the heading Challenges, discloses mapping problem to solution (fin the First generation) 
and organizing and integrating,a complex set of elements ( in the second generation) and 
selecting the correct attributes for the model (in the Third generation)]. 

As per claim 4, A security system design supporting method 
according to Claim 1, further comprising the steps of: 

indicating the PP/STs stored in the template case database as icons by which the 
elements, type and the evaluation assurance level can be identified [ page 381, section 1.2, 
Checklist Security development Methods] 

specifying the PP/STs related to the TOE from the related class-tree based on reference 
PP/ST cases of the relations between the PP/STs expressed in a tree; and producing a structure 
diagram of the TOE using the icons of said specified PP/STs as constituting elements [ page 381, 
Baskerville discloses that checklist methods begin their design with an examination of all known 
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risks and controls and a list is provided of every conceivable control that can be implemented in 
a computer based system. Baskerville further discloses that the Analyst first checks to see if the 
control id already in place, analyses its necessity when it is not found, and implements the 
control when required]. 

As per claim 5, Baskerville discloses security system design supporting method 
according to Claim 2, further comprising the steps of: 

storing data concerning probability of occurrence of each threat and the loss amount 
affected by the threat and cost of protection each security objective collectively in the partial 
case database [page 383, under the heading Elementary Information Security Risk analysis] ; 

producing a formula of a combinatorial optimization problem by designating the 
constraints of a risk acceptance, a cost limit value, a ratio of residual risk to protection cost and 
objective functions for cost minimization or protection risk maximization with respect to a 
relation between risk of each threat (the probability of occurrence multiplied by affected loss 
amount and the cost of protection of the corresponding security objectives[That is, R=P x C}; 
and 

determining cost-effective optimal security objectives by solving said combinatorial 
optimization problem [page 384, Baskerville discloses figures to be used for new controls and 
cost, justifying any control changes in the system]. 

As per claim 6, Baskerville discloses a security system design supporting method 
according to Claim 2, further comprising the step of: 

verifying whether requirements of automatically generated contents of definition match 
dependency or relation between functional requirements and assurance requirements of the 
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reference specifications based on the dependency or relation of the reference specifications [page 
379, under the heading Means, Baskerville discloses solving each functional requirement in the 
Second Generation]. 

As per claims 7, 8 and 9, Baskerville discloses a security system design 
supporting method according to claims 1, 2 and 3, further comprising the steps of: 

automatically generating a rationale matrix indicating in a matrix table each 
correspondence between the-security environments, security objectives, tire security 
requirements and summary specification as a part of contents of the PP/ST definition front a 
security environment, the security objectives, the security requirements and the summary . 
specification or the correspondence between them; and 

verifying presence or absence of definition information lacking correspondence 
using a rationale matrix generated [page 385, under the heading Smith-Lim, Knowledge base 
System, Baskerville discloses tree based and Knowledge base which corresponds to the recited 
limitations of automatically generating a rational matrix and verifying presence or absence of 
definition information using the matrix]. 

verifying presence or absence of the-definition information lacking the 
correspondence using said rationale matrix generated. 

As per claims 10, 11 and 12, Baskerville discloses a security system design 
supporting method according to claims 1,2 and 3 further comprising the steps of: 

storing information newly added in a process of PP/ST generation and a result of 
PP/ST generation in accordance with relation and correspondence in the template case database 
and the partial case database; and improving and expanding information stored in the case 
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database [page 385, Fig. 1, Baskerville discloses that in Smith-Lim Approach, the summary of 
mapping the "threats" to ' targets" can be adjusted to the reference of the organization, page 383, 
Baskerville disclose that checklist along with a formal cost-benefit model provides a formal , 
rationale means for consistently evaluating (adding or eliminating) highly specific vulnerabilities 
which analysts can justify or reject various controls from an extensive checklist (or database) ]. 

As per claims 18, Baskerville discloses a security system design 
supporting method executed using a case database for storing a security environment including 
assumptions, threats and organizational policies corresponding to elements of a product or a 
system accumulated :by PP/ST-applied cases, security objectives corresponding to security 
environment, CC requirements corresponding to the security objectives, and information on a 
summary specification corresponding to the CC requirements, said method comprising the steps 
of: 

storing data concerning a probability of occurrence of each threat and a loss amount 
affected by the threat together with protection cost data of each security objective in said case 
database [Page 383, section 1.3.1 under the heading of Elementary Information Security Risk 
Analysis, P]; 

expressing in a formula a combinatorial optimization problem by designating constraints 
including risk acceptance, cost limit value, ratio of a residual risk to a protection cost and 
objective functions for protection risk maximization or cost minimization with respect to the- 
relation between the risk of each threat and the protection cost of corresponding security 
objectives, the risk being expressed as the a product of a probability of occurrence and affected 
loss amount { R=P x C]; and 
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determining a cost-effective optimal security objective by solving said combinatorial 
optimization problem [Page 383, left column]. 

Claim 21 is a computer program code corresponding to claim 18. Claim 19 is rejected for 
same reason provided in the statement of rejection of claim 18. 

Claims 19 is a computer program code means corresponding to claims 1 and 10. Claim 
19 is rejected for the same reasons stated in the statement of rejection of claims 1 and 10 above. 

Claim 21 is a computer program corresponding to claim 1. Claim 21 is rejected for the 
same reason stated in the statement of rejection of claim 1 above. 

Claim Rejections - 35 USC § 102 
5. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

Claim 22 is rejected under 35 U.S.C. 102(e) as being anticipated by EP 1 065 861, 
published March 2001. 

EP1065 861 teaches a security design supporting method for creating a security 
specification of an information system or a product, comprising the steps of (see abstract): 

providing a database in which security specifications relating to an information system 
or an information product are previously registered in a class-tree structure based on an 



Application/Control Number: 09/640,0 1 6 Page 1 2 

Art Unit: 2131 

inheritance relation between constituent elements, types of product or certification levels [ page 

5, paragraph 0027-0029, see also claim 1]; 

when creating a security specification of an objective information system or a product as 
an object to be designed, sending relevant constituent elements or relevant security specifications 
of a product from said database using objective constituent elements, product type and acquired 
certification level as a search key [page 6, paragraph 0029, lines 45-65]; and 

when a plurality of specifications are searched, integrally editing the searched plurality of 
specifications into one specification according to a format of prescribed contents in respect to 
descriptions of the searched specifications to thereby automatically generate a specification draft 
of the objective information system or product [ page 9, lines 43-53]. 

Conclusion 

6. Prior arts made of record, not relied upon: 

US Patent 5,588,056 is directed to a pronounceable security password using a plurality of 
first word segment portions and second word segment portions, each of which has at least one 
character. A transition number, for each of the plurality of first word segment portions is 
identified, preferably using a Markov model. Each transition number corresponds to the number 
of different second word segment portions which can be combined with the first word segment 
portion to form a pronounceable word segment, such a word syllable. A first word segment 
portion is randomly selected. The selection of any one of the plurality of first word segment 
portions is of substantially equal probability. A second word segment portion, to which the 
transition number associated with the selected first word segment portion corresponds, is then 
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randomly selected. The selection of any one of the corresponding second word segment portions 
is likewise of substantially equal probability. The selected first and second word segment 
portions are combined to form at least a part of the pronounceable security password. 

US patent 6,405,364 discloses a system for building systems in a development 
architecture framework. The present invention is directed to both a system to be built and an 
implementation strategy to fulfill system requirements. Software components of the system are 
encapsulated with wrappers. The wrappers are adapted to be changed upon other software 
components of the system being changed while the encapsulated software components of the 
system remain unchanged. In one embodiment of the present invention, specifying the 
requirements of the system to be built and the implementation strategy to fulfill the requirements 
may be carried out using tools such as data modeling tools, process modeling tools, event 
modeling tools, performance modeling tools, object modeling tools, component modeling tools, 
reuse support tools, prototyping tools, application logic design tools, database design tools, 
presentation design tools, communication design, and usability test tools. In another embodiment 
of the present invention, improving the performance and maintenance of the system may be 
carried out using tools such as interactive navigation tools, graphical representation tools, 
extraction tools, repository tools, restructuring tools, and data name rationalization tools. 

Automated Password Generator (APG), SIPS PUB 181, October 5, 1993, pages 1-9 
downloaded from the Internet, Feb. 2, 2005. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Taghi T. Arani whose telephone number is (571) 272-3787. The 
examiner can normally be reached on 8:00-5:30 Mon-Fri. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on (571) 272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Examiner 
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